Skip to content

feat: expose and secure controller-runtime metrics #1369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: expose and secure controller-runtime metrics #1369

wants to merge 5 commits into from

Conversation

@khauser
Copy link

@khauser khauser commented Nov 1, 2025

According to https://book.kubebuilder.io/reference/metrics.html the metrics endpoint could be secured by the controller-runtime itself without utilizing kube-rbac-proxy.

Checklist

  • Commits are signed with Developer Certificate of Origin (DCO)
  • Changelog has been updated and is aligned with our changelog requirements

Fixes #1123

Copilot AI and others added 5 commits November 1, 2025 20:18
@khauser
Initial plan
a9ea21d 
Signed-off-by: Karsten Ludwig Hauser <[email protected]>
@khauser
Update operator metrics to use port 8443 with authentication and auth…
21ba954 
…orization

- Updated operator/main.go to configure metrics server with SecureServing on port 8443
- Added WithAuthenticationAndAuthorization filter for metrics endpoint
- Updated deployment to use port 8443 for metrics
- Created metrics service for operator
- Added RBAC permissions for TokenReviews and SubjectAccessReviews
- Created ClusterRole for metrics reader access
- Added e2e test for operator metrics endpoint
- Updated go.mod and go.sum with required dependencies

Co-authored-by: khauser <[email protected]>
Signed-off-by: Karsten Ludwig Hauser <[email protected]>
@khauser
Fix code review comments - update service targetPort and test improve…
8a14815 
…ments

Co-authored-by: khauser <[email protected]>
Signed-off-by: Karsten Ludwig Hauser <[email protected]>
@khauser
chore: Add changelog entry for version 0.12.0
bfdbc3c 
Added release notes for version 0.12.0, including improvements.

Signed-off-by: Karsten Ludwig Hauser <[email protected]>
Signed-off-by: Karsten Ludwig Hauser <[email protected]>
@khauser
fix: operator metrics test does work
6058c96 
Signed-off-by: Karsten Ludwig Hauser <[email protected]>
@khauser khauser force-pushed the copilot/update-http-addon-rbac-permissions-again branch from 6e81c7e to 6058c96 Compare November 1, 2025 19:18
@khauser khauser changed the title Copilot/update http addon rbac permissions again feat: expose and secure controller-runtime metrics Nov 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Critical Vulnerability - CVE-2024-24790

1 participant

@khauser